NHTSA issues nonbinding guidance on auto cybersecurity

NHTSA Administrator Mark Rosekind: “In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient.”

WASHINGTON — The National Highway Traffic Safety Administration released new guidance for how automakers should approach cybersecurity amid growing scrutiny prompted by high-profile vehicle hacks and the spread of car connectivity technologies.

NHTSA says cybersecurity should be a top priority of automakers and suppliers that should be formally addressed during the product development process of new vehicles. The agency also says automakers and suppliers should conduct “penetration tests” to seek out potential vulnerabilities. Test results should be documented to describe how weak spots were addressed or the rationale for not addressing vulnerabilities found in testing.

The 22-page guidance is nonbinding and follows earlier cybersecurity “best practices” released in July by the Automotive Information Sharing and Analysis Center, a consortium of major automakers formed to act as a clearinghouse to share cybersecurity information.

“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” NHTSA Administrator Mark Rosekind said in a statement. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”

The guidance also highlights NHTSA’s view that its authority covers auto cybersecurity even though the issue is not addressed by one of the existing Federal Motor Vehicle Safety Standards.

The agency and automakers alike have felt pressure from lawmakers to take a more aggressive approach on vehicle security in the last two years, with some proposing legislation to direct NHTSA and the Federal Trade Commission to write new regulations setting minimum digital protections.

Long a topic of interest in the security research community, auto cybersecurity gained a broader audience in the summer of 2015, when researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee and took control of key vehicle systems using a laptop from miles away.